www/porting.html - diff

Return to porting.html CVS log

Up to [local] / www

version 1.15, 1998/12/20 17:08:45

version 1.16, 1998/12/21 21:48:41

Line 95

<code>strcat/strcpy/strcmp/sprintf</code>. In general,

<code>sprintf</code> should be replaced with <code>snprintf</code>.

<li>Never use filenames when you need security. There are numerous race

<li>Never use filenames insteaad of true security. There are numerous race

conditions where you don't have proper control. For instance, an attacker

who already has user privileges on your machines may replace files in

<code>/tmp</code> with symbolic links to more strategic files, such as

<code>/etc/passwd</code>.

<li>For instance, both <code>fopen</code> and <code>freopen</code>

create a new file or open an existing file for

writing. An attacker may create a symbolic link from

<code>/etc/paswd</code> to <code>/tmp/addrpool_dump</code>. The

instant you open it, your password file is hosed. Yes, even with

an <code>unlink</code> right before. You only narrow the window

of opportunity. Use <code>open</code> with

<code>O_CREAT|O_EXCLUDE</code> and <code>fdopen</code> instead.

<li>For instance, one very common problem is the <code>mktemp</code>

<li>Another very common problem is the <code>mktemp</code>

function. Head the warnings of the bsd linker about its uses.

These must be fixed.

This is not quite as simple as <code>s/mktemp/mkstemp/g</code>.